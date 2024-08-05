The Gately Report: New Sophos CEO Focused On Helping Midmarket, Smaller Businesses
Plus, a massive phishing campaign exploited Proofpoint's email protection.
August 5, 2024
Sophos' Joe Levy
Channel Futures: What role are MSPs and channel partners playing in this effort to help more midmarket and smaller organizations?
Joe Levy: An exceedingly critical role, I would say. This is not the sort of thing that vendors are going to be able to solve on their own. This can only be solved through a partnership between the vendors who are operating in this hybridization of products and services, to where you're designing the best set of tools for the operators. And I believe that can only occur when you do both. You have to be both the technology provider, the creator of the threat intelligence, and you also have to be the operator of this technology that you're building. That's the only way that you can get this closed-circuit, full-loop understanding of how effective this stuff is and how you need to continue to refine it. You have the vendors, a small set of vendors I believe, that are operating in the cybersecurity space that have, No. 1, figured this out, and No. 2, are demonstrating an ability to do this at scale in order for them to be able to reach the vast majority of the market.
Think of it this way. The Small Business Administration (SBA) here in the United States estimates that there are about 33 million small businesses defined as 500 employees or fewer. That makes up about 99% of all of the businesses in operation in the United States. You could look at all of the vendors that operate in the cybersecurity space, and you could ask the question, "Do they have the capacity on their own to actually reach those 33 million businesses?" The answer is absolutely not. The only way that they're ever going to reach them is going to be in partnership with this army of partners and MSPs. The word partnership is more important than ever, I would say, and it requires that there is a deep embedding in the business models between the partners that we work with and the vendor’s understanding of what the requirements of those partners actually are in order to be able to service this vast unserved segment of the market.
CF: You have a lot of experience as chief technology officer. How is that coming into play as CEO? Is that giving you any advantages in this role?
JL: I would like to think so. Leadership comes from many different walks within organizations. Historically, we've seen a lot of executive leadership coming out of the operational areas within companies, sales areas within companies and finance areas within companies. I think recently though we're seeing more and more examples in the industry of senior leadership roles coming from the executive ranks. And I think that this is just emblematic of the change of times, the fact that technology is becoming more and more fundamental to the fabric of society every single day. The fact that we talk about cybersecurity as being a boardroom conversation now, we're treating it as a cost center, we recognize the fundamental criticality of cybersecurity knowledge and judgment at the executive ranks. And I think that we're going to see this begin to emerge as a trend, and hopefully we get to be considered a trendsetter for that reason.
I do believe that there is extraordinary value to intuition. And intuition is something that develops over the course of many, many years of doing a thing. It's impossible to fake intuition ... and I think it's very important in cybersecurity. There's also a Dunning-Kruger element to this. If you think to yourself cybersecurity is hard to do, how do we know that the intuitions that are being produced by leadership are capable of demonstrating good judgment? It comes from years and years of experience. So I would have to say that operationally, those cybersecurity companies that are being led by people who have emerged from the practitioner ranks and the technologist ranks are probably going to be better equipped to make better decisions.
CF: How are MSPs and channel partners benefitting from you becoming CEO?
JL: The fact that I've been there and I've done that. I started off working in the channel early in my career. I started off as a practitioner. I built a professional services practice at a VAR here in Utah in the mid 1990s, and we grew it to a considerable scale. It was there that I recognized the importance of being able to bring together products and services. It was at that time that I started building my own firewall that we began offering to many of our customers, and we protected a large number of businesses here in Utah using that technology. So just having been cut from the same floor, I think there's a kind of empathy that accompanies that, which is just not possible to fake.
I think having a deep understanding of what the day in the life of the practitioners really means, just understanding at a partner level how their technical teams are interacting with the technology and just the importance of improving the quality of life of the people who are operating these technologies day in and day out, whether it's the configuration paradigms that you're using in your firewall for policy management, or whether it's the security operations for the extended detection and response (XDR) platform that we're using to defend our joint customers. I think having that sort of close-to-the-metal, empathetic understanding is something that I hear from our partners is quite valuable to them because it's obvious that that's the way that we make decisions here.
CF: Were Sophos, and its customers and partners impacted by the recent global IT outage? Did Sophos have to take any action? Did Sophos actually benefit from it, new customers, etc.?
JL: We had a very small number of customers who were ... CrowdStrike and Sophos customers, and those customers were affected, but this was a very small number. So we were quite fortunate that there tends not to be a lot of overlap between the two populations. We tried to provide a voice of reason to the industry, rather than coming out and ambulance chasing the way that some of our other peers in the industry have done. We try to be a voice of reason and just urge assistance. At a time where we're dealing with this kind of global crisis and people's lives have been literally turned upside down for periods of days or even weeks, we just need to be as supportive of each other as we possibly can so that we can get through it, and then we can carry on with normal life again. And when we get to that point, of course, we can resume healthy competition, which is exactly what we engage in with CrowdStrike on a fairly regular basis.
Has it created an opportunity? I would say so. It's something that we are quantifying internally, of course, because we are curious about the effect of this sort of thing. CrowdStrike, for a very long time within the industry ... had been perceived as this sort of infallible juggernaut that could just do no wrong, and the incident drove a number of people to re-evaluate their vendor trust alignment ... And rather than focusing on anything bad or anything wrong that CrowdStrike did, which I'm not interested in doing − they're a great company − and crisis and adversity makes great companies even greater, and I'm sure that's what's going to happen to them. But this did cause a rethinking of how we think about and talk about vendor trust in the industry, and do we have the vocabulary to ask our vendors the questions that we need to understand their resilience in dealing with these sorts of mishaps when they occur — and just the likelihood of them occurring in the first place. When something goes wrong, and things will always go wrong, what is that vendor's ability to contain that? I think those sorts of ideas and questions are fundamental to trust.
Over the course of the next weeks and months, we're going to be spending a lot of time talking about this. I've always believed that Sophos has been differentiated in the cybersecurity space because of how important trust is to us, and how transparent we are about the way that we establish chains of trust in everything that we do, from how we build our software to how we do our incident response processes, to the bug bounty programs that we run and this culture of
embracing the researcher community, where rather than being adversarial as some other vendors are, we actually welcome collaboration with researchers when they tell us they found a defect in our product. And the way that this manifests itself is done in a very public way because I like to put our money where our mouth is when it comes to this sort of thing. For the past few years now, we've had our trust center … and we just lay it all out there like we believe that transparency is fundamental to trust. We believe that accountability is fundamental to trust. This is something that we've been practicing for a long time. I think the recent incident is going to begin to draw attention to just how important this is.
CF: What are the biggest challenges facing Sophos and its partners, and how are you addressing those?
JL: The challenges are those of scale, economies of scale. Just being able to continue to grow our business and to be able to grow our business profitably ... this is something that we as a company and a business concern ourselves with. And all of our partners are concerned with this as well. How do they grow? How do they grow profitably? How do they choose the vendors that they're going to partner with in order to be able to make that happen in the course of their strategies? How are they aligning their road maps with the road maps of the vendors? How are they aligning their overall business goals and the fundamental strategies that drive them with the vendors that they work with? So this is something that we think about a lot when it comes to the communions that we have with our channel partners, whether it's at a partner advisory council, whether it's at the recent set of partner events that we've done, this is the basis of the conversation we talk about, how we mutually help each other to grow so that we can help more customers more effectively.
CF: AI is the hottest topic in cybersecurity. What does Sophos have to offer in terms of AI? Does it play a big role in Sophos’ MDR?
JL: AI was recently popularized by the advancements over the past couple of years in generative AI, things like ChatGPT and Gemini, that sort of cultural phenomenon. But we've actually been using AI as an industry for a very long time. And here at Sophos, we've had an AI division for about eight years now. We publish a lot of the research work that we do and a lot of the practical, applied research that appears in our products and our services. At another microsite, AI.Sophos.com, we've been fairly charitable within the industry, I would say, open sourcing a lot of the projects and the data sets that we have produced internally. We have about 70 different models in various states of application within our products and our services today, including transformer models that we've been using within our email security business for a number of years now. It basically powers our business email compromise (BEC) capability that we have within Sophos Central Email, and that's a transformer that we built ourselves. We're not relying on large language models (LLMs) from OpenAI or Anthropic, or other vendors for that. But then there are other applications where we are working with the LLM providers, like those that I mentioned, to be able to do things like approximating the intuition of an analyst, or the purpose of our XDR product and our MDR service.
I believe the opportunity in the market is not to replace humans. I don't believe that anybody who talks about replacing humans with an AI today is serious. Perhaps at some point in the future that happens, but we're not yet at the cusp of that. What we can do today and what we are doing today is we're using AI to make our humans more efficient at what they do. In other words, can we, for example, prepopulate a summary report of an incident that was discovered within our MDR practice so that when an analyst comes into the incident, instead of having to start with a blank slate and begin to write out the details of what occurred, we can prepopulate it with a summary from an AI based on the detection events that we had already sent over to it. Now the analyst, instead of spending 15 minutes on an incident summary, might have to spend 5 minutes on an incident summary. And then you do this across our 23,000 customers and you begin to see how it provides real economic benefit. So the fundamental answer to the question is we have to keep humans in the loop. The humans are going to make the AI better, and the AI is going to make the humans better. We're going to have this synergistic kind of operation that we're already seeing in our MDR service and soon in our XDR product, and I think that's going to be the basis for the kinds of advancements that we're going to see for the next five years or so.
CF: What do you find most surprising and dangerous about the current threat landscape?
JL: I think ransomware unfortunately remains top of mind for most organizations. It doesn't matter what vertical you're in; it doesn't matter what segment you're in. You could be a small, medium or the largest enterprise in the world. I think ransomware continues to be a top-of-mind concern, and we continue to see an evolution of the ransomware criminal ecosystem. We have some interesting research that we're going to be publishing at Black Hat [that highlights] the pressure tactics of ransomware gangs. ... This is an examination of the evolution of the tactics that we're seeing these gangs employing. So very just gruesome, underhanded tactics that we're seeing as they continue to evolve the various ways in which they drive this extortion model that underlies the entire ransomware ecosystem.
CF: What can partners expect from Sophos for the remainder of the year?
JL: I think we're going to continue to make investments in partner assistance programs like our fairly recently announced Partner Care program. So we want to make the partners' lives as pain free as we possibly can as a critical business partner to them, and you're going to see continued investment in that. It's always been central to the DNA of Sophos so this is nothing new. But it does demand a ... continuous evolution of these kinds of capabilities ... Other vendors are beginning to recognize just how important good relationships with partners are, and they're beginning to develop some of these capabilities in rudimentary ways. So we need to make sure that we continue to maintain a business advantage relative to some of these startups and some of these other at-scale operators who are out there. This is going to remain central to our investment thesis as a company.
In other cybersecurity news …
Guardio Labs uncovered a critical in-the-wild exploit of Proofpoint’s email protection service, responsible for securing over half of the Fortune 100 companies.
Guardio Labs explains its discovery in a blog.
Dubbed “EchoSpoofing,” this issue allowed threat actors to dispatch millions of perfectly spoofed phishing emails, leveraging Proofpoint’s customer base of well-known companies and brands such as Disney, IBM, Nike, Best Buy and Coca-Cola. The emails echoed from official Proofpoint email relays with email authentication protocols, therefore managing to bypass major security protections, all to deceive recipients, and steal funds and credit card details.
The campaign successfully sent millions of phishing emails to customers of many of these companies – including Disney.
Guardio's Nati Tal
“This activity started around January 2024, and we can see how those servers, domains and Office 365 accounts were set up to two months earlier,” said Nati Tal, head of Guardio Labs. “Our data allows us to approximate a daily average of 3 million perfectly spoofed emails ever since, with some peaks reaching a daily number of up to 14 million.”
Proofpoint said its researchers in March identified spam campaigns being relayed through a small number of Proofpoint customers’ email infrastructure by sending spam from Microsoft 365 tenants. All analyses indicate this activity was conducted by one spam actor, whose activity it didn’t attribute to a known entity.
“Since discovering this spam campaign, we have worked diligently to provide corrective instructions, including implementing a streamlined administrative interface for customers to specify which Microsoft 365 tenants are allowed to relay, with all other Microsoft 365 tenants denied by default,” It said. “These campaigns did not expose any Proofpoint customer data, and no customer experienced any data loss as a result."
Proofpoint said it “greatly appreciated” the support and information provided by the wider security and service provider community including Guardio Labs.
“In late May, while we were continuing to conduct customer outreach, Guardio Labs contacted us through our established security contact email address,” it said. “They shared additional technical information that allowed us to more accurately reproduce the relay setup and validated that changes we instructed our customers to make were effective in stopping relay abuse.”
Some 86% of cyber professionals are most concerned about unknown organizational cyber risks, according to Critical Start’s second annual Cyber Risk Landscape Peer Report.
This is a 17% increase compared to last year, signifying a need to advance proactive cyber risk management practices, in addition to threat-based detection and response within security programs.
Over 1,000 cyber professionals were polled for the report.
The report also found:
Eighty-three percent of cybersecurity professionals reported experiencing a cyber breach requiring attention, despite having traditional threat-based detect and respond security measures, a significant increase from previous years.
Cyber expertise is a growing issue. In 2023, Critical Start reported 37% of cybersecurity professionals cited a lack of expertise as a challenge faced in effective cyber risk management. This year, that number increased to 50%.
Ninety-nine percent said they plan to implement a managed cyber risk reduction (MCRR) solution to continuously monitor and mitigate cyber risks, and 99% of these same organizations are planning to offload segments of cyber risk reduction projects to security providers, which is an increase of 8% compared to 2023.
The report found 81% of organizations are planning to prioritize proactive risk reduction strategies to stay ahead of the evolving threat landscape. This includes continuous risk monitoring, threat intelligence integration and timely incident response.
Critical Start's Randy Watkins
“Threat detection and response is essential for organizations, as this represents the final line of defense before attacks escalate into significant breaches or cause major business disruption”, says Randy Watkins, Critical Start’s CTO. “Based on our research, 99.4% of cyber leaders want to combine proactive security elements into their detect and response capabilities. By incorporating capabilities such as finding hidden assets, endpoint coverage gaps and failed log ingestion, organizations can improve security operations outcomes.”
New Sophos CEO Joe Levy said partners are playing a critical role in the vendor’s efforts to help midmarket and smaller organizations, and the hybridization of products and services.
Levy was serving as president and acting CEO since February, when Kris Hagerman stepped down from the position. The company then named him CEO in May.
The new Sophos CEO has been with the vendor since 2015 and started as chief technology officer.
Levy will be a keynote speaker at next month's MSP Summit in Atlanta.
“I have fundamentally believed for the 30-plus years that I've been doing cybersecurity that there is just an overinvestment of dollars and attention in the enterprise segment of the market,” he said. “Most cybersecurity startups build products for enterprise buyers, and most of the mature businesses that exist in the product space or in the services space tend to be optimized for serving the larger customers. And very, very few organizations, either on the product or the service side, are designed uniquely to serve that underserved segment of the market, the midmarket and SMB in particular.”
New Sophos CEO Has 'Keen Interest' in Midmarket, SMB
While working with a Utah-based VAR in the 1990s, Levy developed a keen interest in midmarket and smaller businesses.
“The other lesson that I learned while I was doing this is that there needs to be a hybridization of products and services,” he said. “You can't just design a set of technologies, throw them over a fence and hope for good outcomes based on that. The past decade in particular has taught us rather acutely that cybersecurity is an interactive sport and that we have to have continuous engagement with the technologies to ensure that they're doing for us what we expect them to do. Large enterprises are generally better equipped to be able to do that, meaning that they have the staffing, the talent and the budgets to be able to provide 24/7 security operations centers. The vast majority of SMBs, even into the midmarket, generally lack that kind of resourcing, and this just aligns with the well-understood concept of a cybersecurity skills shortage that exists globally today, but it's most acutely felt by that segment of the market.”
Vendors should be providing a combination of both products and services to ensure not just the deployment of the technology, but effective operation of that technology, Levy said.
“So that's fundamentally what drives me and what we've been focusing on and will continue to focus on as a company,” he said.
Scroll through our slideshow above for more from Levy and more cybersecurity news.
